Artemiy Margaritov

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue concerns KVM's mechanism for accessing guest memory, which translates a guest physical address to a host virtual address. A guest can access invalid physical addresses, resulting in an invalid `gfn`. The ` gfn to hva memslot` function is called from `kvm vcpu gfn to hva prot`, which first retrieves a memslot through ` gfn to memslot`. While ` gfn to memslot` checks if the `gfn` falls within the boundaries of the guest's physical memory, a CPU can speculate the result of the check and continue execution speculatively using an illegal `gfn`. This speculation can result in calculating an out-of-bounds `hva`. If the resulting host virtual address is used to load another guest physical address, this is effectively a Spectre gadget consisting of two consecutive reads, the second of which is data dependent on the first. It is not clear if there are any cases in which this is exploitable. One interesting case involves visiting guest page tables on x86, but these are not currently vulnerable due to the presence of an LFENCE speculation barrier in `get user()`. However, patches are in progress to mask kernel addresses instead of using LFENCE, which could potentially allow a guest to use speculation to read from the VMM's ring 3 address space. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.